TrendLabsSM engineers recently spotted a new worm leveraging peer-to-peer (P2P) applications similar to the threat that displays copyright violation warnings. The new worm detected by Trend Micro as WORM_PITUPI.K solves the typical problem that P2P worms face, that is, hard-coded file names used to trick users by pretending to be cracks, key generators, or actual software.

However, the problem with using the hard-coded technique is that the malware becomes obsolete once the software becomes outdated. WORM_PITUPI.K goes about this by using the names of recently released software by connecting to The Pirate Bay website every time the worm executes. It then drops copies of itself into P2P shared folders using the names of the top 100 software and top 100 games as file names.

The worm is also capable of dropping 200 copies into the P2P shared folders with every execution. At 254,604 bytes per copy, the worm can easily occupy a substantial portion of a user’s system over time. It propagates via removable drives and over the Bearshare, BitComet, eMule, FrostWire, Kazaa, Limewire, Lphant, and Shareaza P2P networks.

Unfortunately, copies of the malware’s source code have also been found to be freely available in underground forums. As such, malicious programmers can enhance it to include other payloads such as downloading routines or even backdoor capabilities.

Because of this threat and similar ones we have encountered in the past, users are advised to stop downloading illegal software and media content. As this worm also spreads via removable drives, it is also advisable to disable their AutoRun feature and make them malware proof.

Trend Micro™ Smart Protection Network™ protects users from this kind of threat by blocking access to all related malicious URLs via the Web reputation service and by preventing the download and execution of WORM_PITUPI.K via the file reputation service.

Share this article

This entry was posted
on
Monday, May 10th, 2010
at
8:06 pm and is filed under
Malware .
Both comments and pings are currently closed.